aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman
diff options
context:
space:
mode:
authorMark Sapiro <msapiro@value.net>2011-10-13 21:06:31 -0700
committerMark Sapiro <msapiro@value.net>2011-10-13 21:06:31 -0700
commit9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6 (patch)
treeec10bf6fc2052371f68834d53db0b3a2f7a0a54d /Mailman
parent38203d3a52d698b6b459e68063c471b35b9cc9e6 (diff)
downloadmailman2-9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6.tar.gz
mailman2-9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6.tar.xz
mailman2-9d0b163d77434a4bc7fbc7e26c7ceeea781c1dc6.zip
The fix for BUG #266220 (sf1181161) has been enhanced so that if there
is a pathological HTML part such that the Approved: password text isn't found, but it is found after stripping out HTML tags, the post is rejected with an informative message.
Diffstat (limited to '')
-rwxr-xr-x[-rw-r--r--]Mailman/Handlers/Approve.py19
1 files changed, 18 insertions, 1 deletions
diff --git a/Mailman/Handlers/Approve.py b/Mailman/Handlers/Approve.py
index 9567325a..cfd76f46 100644..100755
--- a/Mailman/Handlers/Approve.py
+++ b/Mailman/Handlers/Approve.py
@@ -39,6 +39,16 @@ except NameError:
NL = '\n'
+def _(s):
+ # message is translated when used.
+ return s
+REJECT = _("""Message rejected.
+It appears that this message contains an HTML part with the
+Approved: password line, but due to the way it is coded in the
+HTML it can't be safely removed.
+""")
+del _
+
def process(mlist, msg, msgdata):
@@ -100,7 +110,8 @@ def process(mlist, msg, msgdata):
# text part. We make a pattern from the Approved line and delete
# it from all text/* parts in which we find it. It would be
# better to just iterate forward, but email compatability for pre
- # Python 2.2 returns a list, not a true iterator.
+ # Python 2.2 returns a list, not a true iterator. Also, there
+ # are pathological MUAs that put the HTML part first.
#
# This will process all the multipart/alternative parts in the
# message as well as all other text parts. We shouldn't find the
@@ -111,12 +122,18 @@ def process(mlist, msg, msgdata):
# line of HTML or other fancy text may include additional message
# text. This pattern works with HTML. It may not work with rtf
# or whatever else is possible.
+ #
+ # If we don't find the pattern in the decoded part, but we do
+ # find it after stripping HTML tags, we don't know how to remove
+ # it, so we just reject the post.
pattern = name + ':(\xA0|\s|&nbsp;)*' + re.escape(passwd)
for part in typed_subpart_iterator(msg, 'text'):
if part is not None and part.get_payload() is not None:
lines = part.get_payload(decode=True)
if re.search(pattern, lines):
reset_payload(part, re.sub(pattern, '', lines))
+ elif re.search(pattern, re.sub('(?s)<.*?>', '', lines)):
+ raise Errors.RejectMessage, REJECT
if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListPoster,
mm_cfg.AuthListModerator,
mm_cfg.AuthListAdmin),